The IPSec feasibility study tested the use of IPSec tunnels between ECMWF and four member states to evaluate using IPSec as a backup network. The tests focused on device authentication using certificates, data integrity using HMAC-SHA and HMAC-MD5, data encryption using 3DES and DES, and performance. The results showed that most devices could authenticate and establish IPSec tunnels, with some issues around different certificate formats between devices. Data integrity and encryption tests were successful, with performance varying depending on device hardware.
A-SURVEY SECURITY PROTOCOL FOR WIRELESS SENSOR NETWORKEditor IJMTER
Nowadays, Wireless Sensor Networks are emerging because of the technological
developments in Wireless Communication. Wireless Sensor Networks are deployed mostly in open
and unguarded environment. The key features of Wireless Sensor Networks are low power, lowmemory, low-energy scaled nodes. Security is a fundamental requirement for Wireless Sensor
Network. Security is the main concern for everything whether it is for wired based network or
wireless based network. Security in Wireless Sensor Network plays an important role in node
communication. For Wireless Sensor Network so many security protocol available but some have
some limitation. In this paper, our center of attention is security protocols for Wireless Sensor
Network through this paper; we have to identify the security protocols and their limitation for
Wireless Sensor Network.
Random Key Pre-distribution Schemes using Multi-Path in Wireless Sensor Networksijceronline
International Journal of Computational Engineering Research (IJCER) is dedicated to protecting personal information and will make every reasonable effort to handle collected information appropriately. All information collected, as well as related requests, will be handled as carefully and efficiently as possible in accordance with IJCER standards for integrity and objectivity.
HP Helion Webinar #5 - Security Beyond FirewallsBeMyApp
OpenStack security is a huge and broad topic.
In this webinar we will analyze cloud security, the network to the application layer, going through specific layers, some in common between OpenStack itself and the applications. We will also understand how security will be impacted by the cloud philosophy.
2.espk external agent authentication and session key establishment using publ...EditorJST
Wireless sensor networks (WSNs) have recently attracted a lot of interest in the research community due their wide range of applications. Due to distributed and deployed in a un attend environment, these are vulnerable to numerous security threats. In this paper, describe the design and implementation of public-key-(PK)-based protocols that allow authentication and session key establishment between a sensor network and a third party. WSN have limitations on computational capacity, battery etc which provides scope for challenging problems. We fundamentally focused on the security issue of WSNs The proposed protocol is efficient and secure in compared to other public key based protocols in WSNs.
A Survey on Secure Hierarchical LEACH Protocol over Wireless Sensor NetworkIJERD Editor
Wireless Sensor Network contain number of nodes. Lifetime of Sensor nodes depend on their battery
power, which cannot be reenergize. Thus, to save the node energy & lifetime of the Network energy efficient
LEACH protocol is introduced. Wireless sensor networks are facing many experiments such as the partial source
in processing power, storage and energy. The inadequate energy source is one of the main tasks facing the security
in such networks. LEACH doesn’t shield the safety harms. So we want to improve security scenario of Secure
LEACH protocol. Hierarchical or cluster base routing protocol for WSNs is the most energy-efficient among other
routing protocols. This paper shows different security mechanism used in LEACH protocol. This all protocol is
based on Hierarchical routing protocol. This paper shows basic scenario of security in LEACH.
A-SURVEY SECURITY PROTOCOL FOR WIRELESS SENSOR NETWORKEditor IJMTER
Nowadays, Wireless Sensor Networks are emerging because of the technological
developments in Wireless Communication. Wireless Sensor Networks are deployed mostly in open
and unguarded environment. The key features of Wireless Sensor Networks are low power, lowmemory, low-energy scaled nodes. Security is a fundamental requirement for Wireless Sensor
Network. Security is the main concern for everything whether it is for wired based network or
wireless based network. Security in Wireless Sensor Network plays an important role in node
communication. For Wireless Sensor Network so many security protocol available but some have
some limitation. In this paper, our center of attention is security protocols for Wireless Sensor
Network through this paper; we have to identify the security protocols and their limitation for
Wireless Sensor Network.
Random Key Pre-distribution Schemes using Multi-Path in Wireless Sensor Networksijceronline
International Journal of Computational Engineering Research (IJCER) is dedicated to protecting personal information and will make every reasonable effort to handle collected information appropriately. All information collected, as well as related requests, will be handled as carefully and efficiently as possible in accordance with IJCER standards for integrity and objectivity.
HP Helion Webinar #5 - Security Beyond FirewallsBeMyApp
OpenStack security is a huge and broad topic.
In this webinar we will analyze cloud security, the network to the application layer, going through specific layers, some in common between OpenStack itself and the applications. We will also understand how security will be impacted by the cloud philosophy.
2.espk external agent authentication and session key establishment using publ...EditorJST
Wireless sensor networks (WSNs) have recently attracted a lot of interest in the research community due their wide range of applications. Due to distributed and deployed in a un attend environment, these are vulnerable to numerous security threats. In this paper, describe the design and implementation of public-key-(PK)-based protocols that allow authentication and session key establishment between a sensor network and a third party. WSN have limitations on computational capacity, battery etc which provides scope for challenging problems. We fundamentally focused on the security issue of WSNs The proposed protocol is efficient and secure in compared to other public key based protocols in WSNs.
A Survey on Secure Hierarchical LEACH Protocol over Wireless Sensor NetworkIJERD Editor
Wireless Sensor Network contain number of nodes. Lifetime of Sensor nodes depend on their battery
power, which cannot be reenergize. Thus, to save the node energy & lifetime of the Network energy efficient
LEACH protocol is introduced. Wireless sensor networks are facing many experiments such as the partial source
in processing power, storage and energy. The inadequate energy source is one of the main tasks facing the security
in such networks. LEACH doesn’t shield the safety harms. So we want to improve security scenario of Secure
LEACH protocol. Hierarchical or cluster base routing protocol for WSNs is the most energy-efficient among other
routing protocols. This paper shows different security mechanism used in LEACH protocol. This all protocol is
based on Hierarchical routing protocol. This paper shows basic scenario of security in LEACH.
Enhancing the Security in WSN using Three Tier Security ArchitectureAM Publications,India
Security is the main issue while setting up the WSN network for node communication. This report describes the efficient mechanism for achieving the security between node communications by creating three tier security architecture. This system implements three tier architecture with the use of two polynomial pools having sensor nodes, mobile sinks and some access points that are also sensor nodes, to get better security. Two pools are common mobile polynomial pool and common static polynomial pool. Mobile sinks and access point carries keys from common mobile polynomial pool were as, access points and sensor nodes carries keys from common static polynomial pool. Communication gets established from mobile sink to access point then from access point to sensor node that shows three tier architecture Authentication is the main aspect of the system, that is achieved by pairwise key predistribution methods and authentication of the nodes with the use of polynomial keys. Here, Mobile sink replication attack is implemented against the network. The malicious node, it is blocked. If it wants to communicate within the network then it needs to capture large no of keys from both the pools for authentication. But as the sufficient keys are not available with it, it cannot communicate with the other nodes in the network
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
In Wireless Sensor Networks (WSN), the wireless connections are prone to different type
of attacks. Therefore, security of the data that transfer over the wireless network is a measure
concern in WSN. Due to the limitation of nodes’ energy, efficient energy utilization is also an
important factor. Hence to provide security along with efficient energy utilization of sensor
nodes, Secure and Energy Efficient Hierarchical and Dynamic Elliptic Curve Cryptosystem
(HiDE) scheme is proposed. It includes a hierarchical cluster-based architecture consisting of a
several Area Clusters and a Backbone Network. To provide security Elliptic Curve Cryptography
(ECC) is used. For energy efficient data transmission, Low Energy Adaptive Clustering
Hierarchy (LEACH) is used to select the Cluster Head dynamically. Each Cluster Head collects
the data from their own cluster and transmit to the Destination through the Gateway (GW) in the
Backbone Network. However, limited by the coverage of Gateway, Source Gateway may not be
directly linked with the Destination Gateway in a single hop, so needs to hop through other
Gateways to reach the Destination. Data encryption using Elliptic Curve Cryptography provides
high security with small key size than the existing RSA. Key management includes key
computation, key exchanges, data encryption and decryption. Cluster-based cryptographic
mechanism provides efficient energy utilization of sensor nodes along with security and lower
message overhead. Thus, Hierarchical and Dynamic Elliptic Curve Cryptosystem can protect the
confidentiality of sensitive data with low computation complexity, and also keep the
performance of the network in Wireless Sensor Network.
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology.
Secure data aggregation technique for wireless sensor networks in the presenc...LeMeniz Infotech
Secure data aggregation technique for wireless sensor networks in the presence of collusion attacks
Do Your Projects With Technology Experts
To Get this projects Call : 9566355386 / 99625 88976
Visit : www.lemenizinfotech.com / www.ieeemaster.com
Mail : projects@lemenizinfotech.com
As sensor networks edge closer towards wide-spread placement, security issues become a central concern. So far, much research has concentrated on making sensor networks feasible and useful, and has not focused on security.
We present a set of security building blocks optimized for resource constrained environments and wireless communication. SPINS has two secure building blocks: SNEP and TESLA. SNEP provides the following important baseline security primitives: Data confidentiality, two-party data authentication, and data freshness. A particularly hard problem is to provide effective broadcast authentication, which is an important mechanism for sensor networks. TESLA is a new protocol which provides authenticated broadcast for severely resource-constrained surroundings. We realized the above protocols, and show that they are practical straighly on minimal hardware: the performance of the protocol suite easily matches the data rate of our network. Additionally, we prove that the suite can be used for building higher level protocols
This presentation is about the intrusion detection techniques in a mobile ad hoc network. A MANET is an infrastructure-less network and has no central authority to govern the security check if the new node added to the network is trust worthy or not. There are number of security attacks in a MANET and there are number of advantages of a MANET. Most of its applications prove to be a boon when there is a need of a network for communication in a hostile environment and in remote areas. So it must be made secure. Work is still in progress regarding the security of MANET. The migration to wireless network from wired network
has been a global trend in the past few decades. The mobility
and scalability brought by wireless network made it possible in
many applications. Among all the contemporary wireless networks,
Mobile Ad hoc NETwork (MANET) is one of the most
important and unique applications. On the contrary to traditional
network architecture, MANET does not require a fixed network
infrastructure; every single node works as both a transmitter and
a receiver. Nodes communicate directly with each other when they
are both within the same communication range. Otherwise, they
rely on their neighbors to relay messages. The self-configuring
ability of nodes inMANETmade it popular among criticalmission
applications like military use or emergency recovery. However,
the open medium and wide distribution of nodes make MANET
vulnerable to malicious attackers. In this case, it is crucial to
develop efficient intrusion-detection mechanisms to protect
MANET from attacks. With the improvements of the technology
and cut in hardware costs, we are witnessing a current trend of
expanding MANETs into industrial applications. To adjust to such
trend, we strongly believe that it is vital to address its potential
security issues. In this paper, we propose and implement a new
intrusion-detection system named Enhanced Adaptive ACKnowledgment
(EAACK) specially designed for MANETs. Compared
to contemporary approaches, EAACK demonstrates higher malicious-
behavior-detection rates in certain circumstances while does
not greatly affect the network performances.By definition, Mobile Ad hoc NETwork (MANET) is a
collection of mobile nodes equipped with both a wireless
transmitter and a receiver that communicate with each other
via bidirectional wireless links either directly or indirectly.
Industrial remote access and control via wireless networks are
becoming more and more popular these days. One of the
major advantages of wireless networks is its ability to allow
data communication between different parties and still maintain
their mobility. However, this communication is limited to
the range of transmitters. This means that two nodes cannot
communicate with each other when the distance between the
two nodes is beyond the communication range of their own.
MANET solves this problem by allowing intermediate parties
to relay data transmissions. T
A key management approach for wireless sensor networksZac Darcy
In this paper we presenta key management approach for wireless sensor networks. This approach
facilitating an efficient scalable post-distribution key establishment that provides different security services.
We have developed and tested this approach under TinyOs. Result shows that this approach provides
acceptable resistance against node capture attacks and replay attacks. The provision of security services is
completely transparent to the user of the WSNs. Furthermore, being highly scalable and lightweight, this
approach is appropriate to be used in a wireless sensor network of hundreds of nodes.
Securing Many-To- Many Wireless Sensor Networks With Unique Dynamic KeyEditor IJMTER
Due to the sensitive nature of the data transmitted by applications ranging from mobile target
surveillance to intelligent home networking, through Wireless sensor networks, (WSNs) appropriate
protection mechanisms are needed to prevent attackers from exploiting the weaknesses of the radio links.
In this paper, we propose a novel group key management scheme. This paper investigates the use of secure
tunnels as a solution to improve the protection of WSNs. We propose a tunneling scheme that conforms
to the security requirements of WSNs while having less computational and network overhead. Our
protocol considerably can reduce the number of transmitted messages as well as the computational load,
which makes it suitable for WSNs. We tested the proposed protocol considering two models of mobility
of the targets which are respectively the Random Walk model and the Gauss Markov model.
Enhancing the Security in WSN using Three Tier Security ArchitectureAM Publications,India
Security is the main issue while setting up the WSN network for node communication. This report describes the efficient mechanism for achieving the security between node communications by creating three tier security architecture. This system implements three tier architecture with the use of two polynomial pools having sensor nodes, mobile sinks and some access points that are also sensor nodes, to get better security. Two pools are common mobile polynomial pool and common static polynomial pool. Mobile sinks and access point carries keys from common mobile polynomial pool were as, access points and sensor nodes carries keys from common static polynomial pool. Communication gets established from mobile sink to access point then from access point to sensor node that shows three tier architecture Authentication is the main aspect of the system, that is achieved by pairwise key predistribution methods and authentication of the nodes with the use of polynomial keys. Here, Mobile sink replication attack is implemented against the network. The malicious node, it is blocked. If it wants to communicate within the network then it needs to capture large no of keys from both the pools for authentication. But as the sufficient keys are not available with it, it cannot communicate with the other nodes in the network
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
In Wireless Sensor Networks (WSN), the wireless connections are prone to different type
of attacks. Therefore, security of the data that transfer over the wireless network is a measure
concern in WSN. Due to the limitation of nodes’ energy, efficient energy utilization is also an
important factor. Hence to provide security along with efficient energy utilization of sensor
nodes, Secure and Energy Efficient Hierarchical and Dynamic Elliptic Curve Cryptosystem
(HiDE) scheme is proposed. It includes a hierarchical cluster-based architecture consisting of a
several Area Clusters and a Backbone Network. To provide security Elliptic Curve Cryptography
(ECC) is used. For energy efficient data transmission, Low Energy Adaptive Clustering
Hierarchy (LEACH) is used to select the Cluster Head dynamically. Each Cluster Head collects
the data from their own cluster and transmit to the Destination through the Gateway (GW) in the
Backbone Network. However, limited by the coverage of Gateway, Source Gateway may not be
directly linked with the Destination Gateway in a single hop, so needs to hop through other
Gateways to reach the Destination. Data encryption using Elliptic Curve Cryptography provides
high security with small key size than the existing RSA. Key management includes key
computation, key exchanges, data encryption and decryption. Cluster-based cryptographic
mechanism provides efficient energy utilization of sensor nodes along with security and lower
message overhead. Thus, Hierarchical and Dynamic Elliptic Curve Cryptosystem can protect the
confidentiality of sensitive data with low computation complexity, and also keep the
performance of the network in Wireless Sensor Network.
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology.
Secure data aggregation technique for wireless sensor networks in the presenc...LeMeniz Infotech
Secure data aggregation technique for wireless sensor networks in the presence of collusion attacks
Do Your Projects With Technology Experts
To Get this projects Call : 9566355386 / 99625 88976
Visit : www.lemenizinfotech.com / www.ieeemaster.com
Mail : projects@lemenizinfotech.com
As sensor networks edge closer towards wide-spread placement, security issues become a central concern. So far, much research has concentrated on making sensor networks feasible and useful, and has not focused on security.
We present a set of security building blocks optimized for resource constrained environments and wireless communication. SPINS has two secure building blocks: SNEP and TESLA. SNEP provides the following important baseline security primitives: Data confidentiality, two-party data authentication, and data freshness. A particularly hard problem is to provide effective broadcast authentication, which is an important mechanism for sensor networks. TESLA is a new protocol which provides authenticated broadcast for severely resource-constrained surroundings. We realized the above protocols, and show that they are practical straighly on minimal hardware: the performance of the protocol suite easily matches the data rate of our network. Additionally, we prove that the suite can be used for building higher level protocols
This presentation is about the intrusion detection techniques in a mobile ad hoc network. A MANET is an infrastructure-less network and has no central authority to govern the security check if the new node added to the network is trust worthy or not. There are number of security attacks in a MANET and there are number of advantages of a MANET. Most of its applications prove to be a boon when there is a need of a network for communication in a hostile environment and in remote areas. So it must be made secure. Work is still in progress regarding the security of MANET. The migration to wireless network from wired network
has been a global trend in the past few decades. The mobility
and scalability brought by wireless network made it possible in
many applications. Among all the contemporary wireless networks,
Mobile Ad hoc NETwork (MANET) is one of the most
important and unique applications. On the contrary to traditional
network architecture, MANET does not require a fixed network
infrastructure; every single node works as both a transmitter and
a receiver. Nodes communicate directly with each other when they
are both within the same communication range. Otherwise, they
rely on their neighbors to relay messages. The self-configuring
ability of nodes inMANETmade it popular among criticalmission
applications like military use or emergency recovery. However,
the open medium and wide distribution of nodes make MANET
vulnerable to malicious attackers. In this case, it is crucial to
develop efficient intrusion-detection mechanisms to protect
MANET from attacks. With the improvements of the technology
and cut in hardware costs, we are witnessing a current trend of
expanding MANETs into industrial applications. To adjust to such
trend, we strongly believe that it is vital to address its potential
security issues. In this paper, we propose and implement a new
intrusion-detection system named Enhanced Adaptive ACKnowledgment
(EAACK) specially designed for MANETs. Compared
to contemporary approaches, EAACK demonstrates higher malicious-
behavior-detection rates in certain circumstances while does
not greatly affect the network performances.By definition, Mobile Ad hoc NETwork (MANET) is a
collection of mobile nodes equipped with both a wireless
transmitter and a receiver that communicate with each other
via bidirectional wireless links either directly or indirectly.
Industrial remote access and control via wireless networks are
becoming more and more popular these days. One of the
major advantages of wireless networks is its ability to allow
data communication between different parties and still maintain
their mobility. However, this communication is limited to
the range of transmitters. This means that two nodes cannot
communicate with each other when the distance between the
two nodes is beyond the communication range of their own.
MANET solves this problem by allowing intermediate parties
to relay data transmissions. T
A key management approach for wireless sensor networksZac Darcy
In this paper we presenta key management approach for wireless sensor networks. This approach
facilitating an efficient scalable post-distribution key establishment that provides different security services.
We have developed and tested this approach under TinyOs. Result shows that this approach provides
acceptable resistance against node capture attacks and replay attacks. The provision of security services is
completely transparent to the user of the WSNs. Furthermore, being highly scalable and lightweight, this
approach is appropriate to be used in a wireless sensor network of hundreds of nodes.
Securing Many-To- Many Wireless Sensor Networks With Unique Dynamic KeyEditor IJMTER
Due to the sensitive nature of the data transmitted by applications ranging from mobile target
surveillance to intelligent home networking, through Wireless sensor networks, (WSNs) appropriate
protection mechanisms are needed to prevent attackers from exploiting the weaknesses of the radio links.
In this paper, we propose a novel group key management scheme. This paper investigates the use of secure
tunnels as a solution to improve the protection of WSNs. We propose a tunneling scheme that conforms
to the security requirements of WSNs while having less computational and network overhead. Our
protocol considerably can reduce the number of transmitted messages as well as the computational load,
which makes it suitable for WSNs. We tested the proposed protocol considering two models of mobility
of the targets which are respectively the Random Walk model and the Gauss Markov model.
A Comparative Analysis of Additional Overhead Imposed by Internet Protocol Se...ijceronline
IPSec, an Internet layer three (3)-security protocol suite is often characterising with introducing an additional space and processing overhead when implemented on a network for secured communication using either internet protocol version 4 or 6; IPv4 or IPv6. The use of Internet protocol security (IPSec) on IPv4 is an alternative that offers solutions and addresses the security vulnerabilities in network layer of the open system interconnect (OSI) and transmission control protocol/internet protocol (TCP/IP) protocol stack. In IPv6, IPSec is one among many other features added to the earlier Internet protocol to enhance efficiency and security. This paper, set as its objective to reports on the impact of processing and space overhead introduced by IPSec on both IPv4 and IPv6 in relation to packet end-to-end delay based on different IPSec transformations with different authentication and encryption algorithms deployed in different scenarios simulated using NS2. The experiment result reveals that the cost of IPSec added overhead is relatively small when smaller packet sizes are involved for both protocols in comparison with large packet sizes that were IPSec protected with the same configuration as the smaller packet, unless in the cases whereby the packet was very large which has to be fragmented. This paper can therefore, serve as a guide for network administrators to trade up between processing cost and larger address space specifically for transmission involving larger IP packets
A Comparative Research on SSL VPN and IPSec VPNijtsrd
With information technology growth, VPN In a variety of areas, technology has been commonly used. Here we are. Two forms of VPN are studied in paper IPSec and SSL VPN Detailed implementation, protection, scalability and breadth Other dimensions, benefits and contrasts are analyzed and compared. Inappropriate collection comparison is summarized, finally, Standard suggested. Standard proposed. Vaibhav Gahlot "A Comparative Research on SSL VPN and IPSec VPN" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-5 | Issue-2 , February 2021, URL: https://www.ijtsrd.com/papers/ijtsrd38333.pdf Paper Url: https://www.ijtsrd.com/computer-science/computer-security/38333/a-comparative-research-on-ssl-vpn-and-ipsec-vpn/vaibhav-gahlot
As sensor networks edge closer towards wide-spread placement, security issues become a central concern. So far, much research has concentrated on making sensor networks feasible and useful, and has not focused on security.
We present a set of security building blocks optimized for resource constrained environments and wireless communication. SPINS has two secure building blocks: SNEP and TESLA. SNEP provides the following important baseline security primitives: Data confidentiality, two-party data authentication, and data freshness. A particularly hard problem is to provide effective broadcast authentication, which is an important mechanism for sensor networks. TESLA is a new protocol which provides authenticated broadcast for severely resource-constrained surroundings. We realized the above protocols, and show that they are practical straighly on minimal hardware: the performance of the protocol suite easily matches the data rate of our network. Additionally, we prove that the suite can be used for building higher level protocols
IP Security One problem with Internet protocol (IP) is that it has.pdfsolimankellymattwe60
IP Security
One problem with Internet protocol (IP) is that it has no method for confirming the authenticity
and security of data as it moves through the net. IP datagrams are typically routed between
devices over disparate networks; as a result, information within these datagrams could be
intercepted and altered. As use of the Internet for critical applications has increased, the need for
enhancements to IP security became necessary. As a result, the Internet Engineering Task Force
(IETF) created a set of protocols called IP Security, or IPsec, to support the secure exchange of
packets over the Internet. IPsec is now a mandatory component of IPv6 and must be supported
for any IPv6 implementation. IPsec is implemented in IPv6 using the authentication header (AH)
and the encapsulating security payload (ESP) extension header.
Answer the following questions in a 3- to 4-page, APA-formatted paper:
1 What is IPsec, and why is it necessary? How is IPsec used in VPN?
2 Which network layer currently suffers from attacks, and why? At which layers of the
network stack architecture should a solution be attempted? Provide details.
3 How is IP security achieved? What is the basic authentication scheme? Which mechanisms
are used? What are some of the application venues of IPsec?
4 How is a VPN implemented on a server so that its clients can connect to it?
Remember to properly cite your sources according to APA guidelines.
Solution
IPSec
IPsec also known as IP Security.Internet Protocol Security is a framework for a set of protocols
that provide security for internet protocol. It can use cryptography to provide security. IPsec
support network level data integrity, data confidentiality. As it is integrated at the internet layer
(i.e. layer 3), it provides security for all the protocols in the TCP/IP. IPsec applied transparently
to the applications, there is no need to configure separate security for each application the uses
TCP/IP.
IPsec provides security for
IPsec provides two choices of security service: Authentication Header (AH), which essentially
allows authentication of the sender of data, and Encapsulating Security Payload (ESP), which
supports both authentication of the sender and encryption of data as well. The specific
information associated with each of these services is inserted into the packet in a header that
follows the IP packet header. Separate key protocols can be selected, such as the
ISAKMP/Oakley protocol.
IPsec is necessary for
Earlier security approaches have inserted security at the Application layer of the communications
model. IPsec is said to be especially useful for implementing virtual private networks and for
remote user access through dial-up connection to private networks. A big advantage of IPsec is
that security arrangements can be handled without requiring changes to individual user
computers. Cisco has been a leader in proposing IPsec as a standard (or combination of standards
and technologies) and has included support fo.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
Virtual private networks (VPN) provide remotely secure connection for clients to exchange information with company networks. This paper deals with Site-to-site IPsec-VPN that connects the company intranets. IPsec-VPN network is implemented with security protocols for key management and exchange, authentication and integrity using GNS3 Network simulator. The testing and verification analyzing of data packets is done using both PING tool and Wireshark to ensure the encryption of data packets during data exchange between different sites belong to the same company.
This research makes the classification system of category selection title undergraduate thesis title use k-nearest neighbor method. This research will be conducted on the students of Informatics Engineering Department Faculty of Engineering, Universitas Nusantara PGRI Kediri. The purpose of making this system is to employee department and students to more easily make a classification of category selection undergraduate thesis title based on the field of interest and field of expertise of each student. The method used to classify the selection of undergaduate thesis title categories is k-nearest neighbor method using several criteria based on students' interests and expertise in a particular field or course. The result of this sitem is an information category of undergraduate thesis title of students who have been processed based on the field of interest and field of expertise of each student.
Synthetic Fiber Construction in lab .pptxPavel ( NSTU)
Synthetic fiber production is a fascinating and complex field that blends chemistry, engineering, and environmental science. By understanding these aspects, students can gain a comprehensive view of synthetic fiber production, its impact on society and the environment, and the potential for future innovations. Synthetic fibers play a crucial role in modern society, impacting various aspects of daily life, industry, and the environment. ynthetic fibers are integral to modern life, offering a range of benefits from cost-effectiveness and versatility to innovative applications and performance characteristics. While they pose environmental challenges, ongoing research and development aim to create more sustainable and eco-friendly alternatives. Understanding the importance of synthetic fibers helps in appreciating their role in the economy, industry, and daily life, while also emphasizing the need for sustainable practices and innovation.
2024.06.01 Introducing a competency framework for languag learning materials ...Sandy Millin
http://sandymillin.wordpress.com/iateflwebinar2024
Published classroom materials form the basis of syllabuses, drive teacher professional development, and have a potentially huge influence on learners, teachers and education systems. All teachers also create their own materials, whether a few sentences on a blackboard, a highly-structured fully-realised online course, or anything in between. Despite this, the knowledge and skills needed to create effective language learning materials are rarely part of teacher training, and are mostly learnt by trial and error.
Knowledge and skills frameworks, generally called competency frameworks, for ELT teachers, trainers and managers have existed for a few years now. However, until I created one for my MA dissertation, there wasn’t one drawing together what we need to know and do to be able to effectively produce language learning materials.
This webinar will introduce you to my framework, highlighting the key competencies I identified from my research. It will also show how anybody involved in language teaching (any language, not just English!), teacher training, managing schools or developing language learning materials can benefit from using the framework.
Safalta Digital marketing institute in Noida, provide complete applications that encompass a huge range of virtual advertising and marketing additives, which includes search engine optimization, virtual communication advertising, pay-per-click on marketing, content material advertising, internet analytics, and greater. These university courses are designed for students who possess a comprehensive understanding of virtual marketing strategies and attributes.Safalta Digital Marketing Institute in Noida is a first choice for young individuals or students who are looking to start their careers in the field of digital advertising. The institute gives specialized courses designed and certification.
for beginners, providing thorough training in areas such as SEO, digital communication marketing, and PPC training in Noida. After finishing the program, students receive the certifications recognised by top different universitie, setting a strong foundation for a successful career in digital marketing.
Francesca Gottschalk - How can education support child empowerment.pptxEduSkills OECD
Francesca Gottschalk from the OECD’s Centre for Educational Research and Innovation presents at the Ask an Expert Webinar: How can education support child empowerment?
Francesca Gottschalk - How can education support child empowerment.pptx
Ip sec technote-en
1. IPSec Feasibility Study
May 2003 1
IPSec Feasibility Study (in cooperation
with DWD, Météo France, HNMS and
KNMI):
Summary and recommendations
Network and Security Section
Computer Division
May 2003
3. IPSec Feasibility Study
Contents
1 Introduction .....................................................................................................................................1
2 Technical Overview.........................................................................................................................2
2.1 IP VPN definition.....................................................................................................................2
2.2 IPSec protocol ..........................................................................................................................2
3 The IPSec Tests ...............................................................................................................................3
3.1 IPSec parameter settings...........................................................................................................3
3.2 The lab tests..............................................................................................................................5
3.3 Internet tests .............................................................................................................................6
4 Test Results......................................................................................................................................7
4.1 Test #1: Certificate enrolment and device authentication ........................................................7
4.2 Test #2: Data Integrity..............................................................................................................7
4.3 Test #3: Data Encryption..........................................................................................................7
4.4 Test #4: Performance tests........................................................................................................7
5 Recommendations............................................................................................................................9
5.1 Device authentication...............................................................................................................9
5.2 Data integrity............................................................................................................................9
5.3 Data encryption ........................................................................................................................9
5.4 The IPSec capable equipment ..................................................................................................9
5.5 Network Design......................................................................................................................10
6 Acknowledgement.........................................................................................................................11
Annex A - Configuration guidelines and examples ..........................................................................13
A.1 Output and configuration files for Cisco Router and PIX......................................................13
Cisco IOS: certificate enrolment guideline....................................................................................13
Cisco IOS: enrolment output .........................................................................................................13
Cisco IOS: IPSec configuration example ......................................................................................14
Cisco PIX: configuration example.................................................................................................15
A.2 FreeS/WAN configuration example.......................................................................................15
Annex B - References.......................................................................................................................17
Annex C - List of acronyms..............................................................................................................18
May 2003 i
4.
5. IPSec Feasibility Study
1 Introduction
During 2002 ECMWF and four Member States (Germany, Greece, France and the Netherlands)
undertook IPSec tests in order to evaluate the feasibility of using an IPSec-based VPN as a back up
for the RMDCN and for the transfer of amounts of data, which are excessive relative to the capacity
of the RMDCN.
As most RMDCN sites have Internet access, using an IPSec-based VPN link as an additional backup,
in case of a failure of the RMDCN link and its associated ISDN backup, will help to guarantee service
continuity.
The RMDCN is a purpose-built network for real-time and operational data transfer and the various
allocated bandwidths have a limited throughput. The Internet can be used in addition to the RMDCN
to perform data transfer for cases where the RMDCN capacity is insufficient. However, it is worth
keeping in mind that:
The Internet lacks the concept of guaranteed bandwidth and QoS (Quality of Service) and is
subject to various attacks, including DoS (Denial of Service) attacks.
Long lasting outages occur on the Internet from time to time
This document reports on the results of the IPSec tests and provides guidelines and recommendations
for building secure connections over the Internet. It is divided into four parts:
Part 1 gives a brief introduction to Virtual Private Networks and IPSec.
Part 2 describes the IPSec tests that were carried out.
Part 3 presents the results of the tests.
Part 4 details the recommendations.
May 2003 1
6. IPSec Feasibility Study
2 Technical Overview
2.1 IP VPN definition
A Virtual Private Network is a group of two or more computer systems connected “securely” over a
public network. VPNs can be installed between an individual machine and a private network (remote
user-to-site) or between private networks (site-to-site). Security features differ from product to
product, but most security experts agree that VPNs should include encryption, strong authentication of
remote users or hosts, and mechanisms for hiding or masking information about the private network
topology from potential attackers on the public network.
2.2 IPSec protocol
IPSec is an end-to-end security protocol: all the functionality and intelligence of the VPN connection
reside at the end points, either in a gateway or in the end-host.
The service provider’s IP network is not aware of the existence of the IP VPN, as tunnelling
technologies ensure the transport of application data by encapsulation. The source address and the
destination address of these packets are the IP addresses of the end points of the tunnel. They are then
routed as any normal IP packets through the shared IP network.
In the past, several IP tunnelling protocols have been deployed. Over the last 3 years, however, IPSec
has become the predominant IP tunnelling protocol and is currently the technology of choice when
implementing site-to-site connectivity over a public network. IPSec was initially developed to ensure
private communications over public IP networks. The protocol supports two main security functions:
Authentication: ensuring the authenticity and the integrity of the whole IP packet;
Encryption: ensuring the confidentiality of the payload.
Through IPSec it is possible to define a tunnel between two gateways. An IPSec gateway would
typically be an access router or a firewall on which the IPSec protocol is implemented. IPSec
gateways sit between the user's private network and the carrier's shared network.
IPSec tunnels are established dynamically and released when they are not in use. To establish an
IPSec tunnel, two gateways must authenticate themselves and define which security algorithms and
keys they will use for the tunnel. The entire original IP packet is encrypted and wrapped inside IPSec
authentication and encryption headers. This becomes the payload of a new IP packet whose source
and destination IP addresses are the public network IP addresses of the IPSec gateways. This ensures
the logical separation between VPN traffic flows in a shared IP network. Traditional IP routing is then
used between the tunnel end points.
IPSec achieves these objectives by using:
Two traffic security protocols: the Authentication Header (AH), which provides data integrity,
and the Encapsulation Security Payload (ESP), which provides data integrity and data
confidentiality.
A cryptographic-key management protocol: the Internet Key Exchange (IKE), which is used to
negotiate IPSec connections.
For further information about IPSec protocol, see the list of References in Annex B.
2 May 2003
7. IPSec Feasibility Study
3 The IPSec Tests
The main goals of these tests were:
Evaluate the feasibility of using IPSec tunnels to establish site-to-site connectivity:
Although several documents have been written regarding the implementation of IPSec and its
various issues, it was worth testing it, in order to gain a thorough understanding of the IPSec
protocol itself, to have an appreciation of its complexity and to evaluate the feasibility of its
implementation in the context of the RMDCN.
Test the interoperability of IPSec :
The meteorological centres connected to the RMDCN may already have some equipment (router,
firewall, etc.), which is IPSEC capable. Even if interoperability will not be an issue today, the
interoperability of different devices has to be checked.
Define global recommendations:
RMDCN sites that are considering implementations of IPSec can use this document and its
recommendations as a starting point.
3.1 IPSec parameter settings
As it was not feasible to test all IPSec features and capabilities, the tests focused on a subset. An
initial option was chosen for each IPSec parameter:
Tunnel mode vs. Transport mode
Both AH and ESP protocols operate in two modes: transport mode and tunnel mode. Each of these
modes has its wn applications:
Tunnel mode is commonly used to encrypt traffic between secure IPSec gateways.
Transport mode is used between end stations supporting IPSec or between an end station and a
gateway, if the gateway is regarded as a host.
As the aim of the tests was to investigate secure site-to-site connections, only IPSec “Tunnel mode”
was considered (see Figure 1 below) in the framework of this study.
Router
ECMWF
Router
IPSec/VPN Equipment
INTERNET
IPSec Tunnel
IPSec Tunnel
Figure 1 - IPSec “Tunnel mode” tests
Key exchange
IPSec Tunnel keys can be managed either manually or dynamically. For scalability and
maintainability reasons, IKE was used for the dynamic key management during the tests.
May 2003 3
8. IPSec Feasibility Study
Device authentication method
The IKE protocol is very flexible and supports multiple authentication methods. The two peers must
agree on a common authentication method through a negotiation process. The two main
authentication protocols are:
PreShared key:
The same key is configured on each IPSec peer. IKE peers authenticate each other by computing
and sending a keyed hash of data using the configured PreShared key. If the receiving peer is able
to create the same hash independently using its own PreShared key, it knows that both peers must
share the same secret, thus authenticating the other peer.
RSA (Rivest, Shamir, Adleman) Signature:
This uses a digital signature, where each device digitally signs a set of data and sends it to the
other party. RSA signatures use a CA (Certificate Authority) to generate a unique digital
certificate that is assigned to each peer for authentication. The digital certificate is similar in
function to the PreShared key, but provides much stronger security.
PreShared keys are easy to implement but do not scale well, as each IPSec peer must be configured
with the PreShared key of every other peer with which it will establish a session. In addition,
PreShared keys are less secures and are configured in clear text format in some equipment, for
example in a Cisco router.
Therefore, RSA signatures using x509 v.3 certificates were used.
Data integrity and authenticity
Data integrity is implemented by including a message digest (or fingerprint) of the data within the
IPSec packets. Message digests are calculated using hash functions. All IPSec capable devices should
support hash functions HMAC-MD5 and HMAC-SHA, as stated in the RFC (Request For Comments)
2401. Therefore, other less commonly used hash functions were ignored. HMAC-MD5 and HMAC-
SHA are based on MD5 and SHA combined with the additional crypto features of the HMAC
algorithm. This is done to avoid tampering with the message digest itself. MD5 produces a 128-bit
message digest and SHA produces a 160-bit message digest, therefore SHA is a more secure hash
function than MD5. However, the HMAC-SHA and HMAC-MD5 variants used are truncated to the
most significant 96 bits. Truncation has security advantages (less information on the hash available to
the attacker) and disadvantages (less bits to predict for the attacker). In our opinion both truncated
versions of HMAC-SHA and HMAC-MD5 are secure enough for our requirements.
In our test environment, both HMAC-SHA and HMAC-MD5 were used; there was a slight preference
for HMAC-SHA.
Data encryption
Data confidentiality is achieved in IPSec by the use of symmetric encryption algorithms and session
keys. The most commonly used algorithms are:
ESP-NULL: No encryption applied.
DES (Data Encryption Standard): Provides encryption using a 56 bit key.
3DES (Triple Data Encryption Standard): Provides encryption using a 168 bit key.
AES (Advanced Encryption Standard): Provides encryption using 128, 192, and 256 key lengths.
According to RFC 2401, all IPSec devices should support at least ESP-NULL and DES. However,
DES is considered a weak encryption algorithm due to its short key length, and as such, some vendors
discourage its use and some others refuse to support it (i.e. FreeS/Wan).
Therefore, for the purpose of this test, NULL (no encryption) and 3DES encryption were used
whenever possible. DES was only used when 3DES was not available.
4 May 2003
9. IPSec Feasibility Study
An international VPN/IPSec via Internet must comply with the legislation of each country
(encryption, size of the key…). Therefore, each site should be aware of national policy
before using encryption.
Session key exchange
Diffie-Hellman (DH) is a public-key cryptography protocol. It allows two parties to establish a shared
secret between them. DH is used within IKE to establish a shared secret that is used as a session key.
The most common DH groups are:
Group 1: Uses a 768 bit public key to establish a shared secret.
Group 2: Uses a 1024 bit public key to establish a shared secret.
For the purpose of the tests, DH Group 2 was used since it is more secure and does not create any
overhead for the IPSec devices.
3.2 The lab tests
In order to validate the selected parameter settings of the IPSec features and before performing any
external (through the Internet) tests, a test environment was set up at ECMWF to conduct some
preliminary experiments. The aim of these tests was to get familiarised with IPSec configuration and
the certificate enrolment process.
Figure 2 shows the configuration of the test environment.
Internet Firewall
Linux s/WAN Server
DMZ
Back-to-Back
DMZ
CA Server
IPSec Tunnel
X509 Certificates
Exchange
Test RouterInternet Access
Router
Figure 2 - Network configuration test environment
May 2003 5
10. IPSec Feasibility Study
With this setup, we were able to:
Test three different authentication methods: PreShared keys, public encryption (RSA_ENCR)
and public keys signed by a Certification Authority (RSA_SIG).
Test X509 certification enrolment and utilisation.
Perform basic IPSec configuration: build tunnels with the chosen IKE/IPSec parameters.
Test a public domain IPSec implementation: FreeS/WAN
Test IPSec interoperability between several devices.
The test environment was also used during the Internet tests to reproduce problems in order to fix
them.
3.3 Internet tests
Figure 3 shows an overall view of the IPSec tests performed across the public Internet. The objective
of these Internet tests was to build secure connections between ECMWF and the Member States and
use them to transfer data. Configuration examples can be found in Annex A.
X509 Certifcate
Exchange
Test Router Linux FreeS/WAN
Test Router
FRANCE - MeteoFrance
NETHERLANDS - KNMI
FireWall
Test Router
GERMANY - DWD
GREECE - HNMS
FireWall
UK - ECMWF
Internet Access Router
DMZ
DMZ
CA Server
Internet
Access Device
INTERNET
FireWall
FireWall
Internet
Access Device
Internet
Access Device
Internet
Access Device
IPSec Tunnel
Figure 4 - Network configuration for the Internet tests
6 May 2003
11. IPSec Feasibility Study
4 Test Results
The following sections briefly describe the four tests conducted with the Member States and highlight
some of the experiences.
4.1 Test #1: Certificate enrolment and device authentication
The purpose of this test was to see how the different devices would go through the certificate
enrolment process and use the X509 certificate for device authentication. If there were problems with
devices using X509 certificates, PreShared keys were configured manually in the device. Most of the
tested devices succeeded in enrolling and using certificates for authentication1
.
The main issues encountered during this test were due to the fact that the devices use different
certificate enrolment methods (mainly URL and “out-of-band” download) and diverse certificate
formats.
4.2 Test #2: Data Integrity
The purpose of this test was to establish basic IPSec connections using HMAC (SHA and MD5)
algorithm to check the data integrity. The IKE negotiation used the X509 certificate downloaded from
the CA server. Except for FreeS/WAN, which does not implement the AH protocol, all the tested
devices were able to establish AH and ESP HMAC IPSec tunnels.
4.3 Test #3: Data Encryption
This test is a follow-up of test #2; it adds 3DES encryption. When 3DES was not available, DES was
used. The tests were carried out successfully. However, it is important to take into account that
3DES/DES encryption capability depends on the device hardware and software versions.
4.4 Test #4: Performance tests
In order to evaluate the impact of IPSec tunnelling on the CPU, a set of FTP tests was undertaken.
Several FTP tests were carried out, both with and without the establishment of IPSec tunnels.
The configuration below (Figure 5) was used to conduct the FTP tests; router B represents a generic
remote router that guarantees the Internet connection to and from a Member State.
IPSec Tunnel
Back-to-Back
30.0.0.1
40.0.0.2
Ethernet
New-ftp
FTP server
Laptop
Back-to-Back
10.0.0.1
10.0.0.2
Back-to-Back
20.0.0.1
20.0.0.2
30.0.0.2
40.0.0.1 Router BRouter A Router Router
FTP Transfer
Figure 5 - FTP Tests Lab Setup
1
CheckPoint FW1 equipment: only the enrolment of the certificate was tested. FW1 requires a Control
Revocation List (CRL) to start the IPSec process. The use of CRLs was not included in the tests. This will be
done at a future stage.
May 2003 7
12. IPSec Feasibility Study
Tests were also conducted across the Internet between ECMWF and a Cisco PIX firewall at DWD in
Germany.
The main conclusions from the performance tests are:
IPSec protocol has a significant impact on the CPU load of the device.
Encrypted tunnels are more CPU consuming than non-encrypted ones.
HMAC-MD5 algorithm is slightly less CPU consuming than HMAC-SHA algorithm.
ESP protocol for data integrity is equally as CPU consuming as AH protocol.
A small IPSec capable router (such as a Cisco 1605) is not suitable for IPSec tunnelling when
the Internet connection speed is higher than 128 kb/s.
8 May 2003
13. IPSec Feasibility Study
5 Recommendations
The following recommendations are based on the results of the tests described in section 3. These
recommendations should help sites to build secure IPSec connections over the public Internet.
5.1 Device authentication
The use of X509 certificates for device authentication is recommended for the following reasons:
It is the most secure method.
It is the most scalable method.
Furthermore, the generation of 1024 bit RSA keys and the use of DH group 2 (encryption algorithm)
are recommended.
5.2 Data integrity
Both AH and ESP protocols can be used for packet authentication. However:
The tests showed that ESP consumes as much CPU load as AH.
Only ESP protocol can ensure packet encryption (see Section 4.3).
Therefore, for reasons of simplicity the use of ESP HMAC for packet authentication is recommended.
Also, either ESP-HMAC-MD5 or ESP-HMAC-SHA can be used.
5.3 Data encryption
Because of the nature of the data (meteorological) encryption is not strictly required. Since data
encryption is CPU consuming ensuring packet authentication provides enough security. Therefore, the
use of ESP NULL is recommended. This means that ESP will be applied to the packet with no
encryption.
If ever data encryption is needed, the implementation of ESP-3DES is recommended, as it is more
secure than DES.
5.4 The IPSec capable equipment
In the light of the previous recommendations (Sections 4-1 to 4-3), the following should be
considered, when selecting an IPSec-capable device to implement a VPN:
For scalability reasons, the device should be IKE capable and should support X509 certificate
standard.
It is important that the device supports ESP_NULL encryption method.
If considering data encryption, the equipment must be 3DES-capable. Moreover, it should be
taken into account that AES may soon become the de facto encryption standard. Therefore,
equipment that is also AES-capable is desirable, in order to anticipate future requirements.
For sites with a high speed Internet connection, a dedicated VPN/IPSec device with
encryption card (acceleration card) is recommended, as it significantly reduces the CPU load
when the IPSec protocol is used.
As a final note, the tests showed that it is easier to configure IPSec-capable equipment than to
implement a public domain solution. Nevertheless, an open source implementation, FreeS/WAN,
could be considered, bearing in mind that FreeS/WAN implements 3DES encryption by default (refer
to http://www.freeswan.org for further details).
May 2003 9
14. IPSec Feasibility Study
5.5 Network Design
When designing an IPSec implementation, a set of guidelines has to be taken into account. The VPN
gateway should always be in a DMZ and never inside the “private” network. This means that the VPN
device has to be somewhere between a Firewall and the external network (the Internet); all the traffic
between the VPN device and the private internal network should go through a Firewall, see Figure 6.
Because the VPN device is located on a DMZ, it is important to configure the Firewall to allow IPSec
traffic to and from it. The following table shows the IP protocols and TCP/UDP port numbers a
Firewall has to allow for IPSec to work:
Protocol/Port Comment:
IP protocol 50 ESP protocol
IP Protocol 51 AH protocol
UDP 500 IKE negotiation
UDP/TCP 10000 NAT tunnelling
To implement IPSec, it is not mandatory to use a dedicated IPSec device. It is possible to combine
IPSec and firewall capabilities or IPSec and Internet access capabilities or all three capabilities in a
single device.
The following diagram (Figure 6) shows a topology on which a dedicated VPN/IPSec device is used
in addition to the Internet access router and the Firewall.
INTERNET Firewall
INTERNET DMZ
VPN DMZ
VPN/IPSec
DEVICE
IPSec Tunnel
X509 Certificates
Exchange (IKE)
INTERNET
LAN
INTERNET
ACCESS
DEVICE
Figure 6 - VPN Network Design using a dedicated VPN device
10 May 2003
15. IPSec Feasibility Study
6 Acknowledgement
The following persons contributed to the study and the creation of this document:
Inge Essid, DWD
Ilona Glaser, DWD
Erwan Favennec, Meteo France
Georgios Konstandinidis, HNMS
Frits van de Peppel, KNMI
Freerk Feunekes, KNMI
Carmine Rizzo, ECMWF
Ahmed Benallegue, ECMWF
Matteo dell'Acqua, ECMWF
Ricardo Correa, ECMWF
Tony Bakker, ECMWF
Pam Prior, ECMWF
May 2003 11
17. IPSec Feasibility Study
Annex A - Configuration guidelines and examples
A.1 Output and configuration files for Cisco Router and PIX
Cisco IOS: certificate enrolment guideline
The main points to consider when requesting a certificate from a Cisco Router are:
1- Configure the Router's Host Name and Domain Name: Use “hostname” and “ip domain-name”
global configuration commands.
2- Set the Router's Time and Date: ensure that the router's time zone, time and date have been
accurately configured with the “set clock” command. The clock must be set before generating
RSA key pairs and enrolling the certificate, as the keys and certificates are time-sensitive.
3- RSA key pairs must be generated using a modulus of 1024: using the “crypto key generate rsa”
command, generate RSA key pairs with a modulus of 1024.
4- Declare the CA and configure its parameters:
o To declare the CA: “crypto ca identity <CA identity>”
o To configure its parameters: “enrolment url <CA server URL>” and “crl optional”
o To authenticate the CA: “ca authenticate <CA identity>”
5- Request a X509 certificate: when requesting a X509 certificate, answer “no” when asked if you
want to include:
o The router serial number
o An IP address in the subject name
Cisco IOS: enrolment output
The following is the output from a certificate enrolment performed on a Cisco router:
! The first step is to generate the RSA key
Cisco-Test(config)#crypto key generate rsa
The name for the keys will be: mys-cisco.domain.top
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 1024
Generating RSA keys ...
[OK]
! The second step is to identify the CA server
Cisco-Test(config)#ca iden
Cisco-Test(config)#crypto ca identity my-test
Cisco-Test(ca-identity)# enrollment url http://myca.domain.top/cgi-bin/openscep
Cisco-Test(ca-identity)# crl optional
Cisco-Test(ca-identity)#exit
Cisco-Test(config)#crypto ca authenticate my-test
Certificate has the following attributes:
Fingerprint: 8395FE5B C08238A7 FA6BFD76 727E84A7
% Do you accept this certificate? [yes/no]: yes
! The third step is to request a certificate from the CA server
Cisco-Test(config)#crypto ca enrol my-test
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password:
Re-enter password:
% The subject name in the certificate will be: my-cisco.domain.top
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [yes/no]: no
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The certificate request fingerprint will be displayed.
% The 'show crypto ca certificate' command will also show the fingerprint.
Cisco-Test(config)#exit
May 2003 13
18. IPSec Feasibility Study
Cisco-Test#
! Once the 3 steps are completed, two certificates are available in the router: the CA certificate and the router‘s certificate
Cisco-Test#show crypto ca certificates
CA Certificate
Status: Available
Certificate Serial Number: 01
Key Usage: General Purpose
EA =<16> ca-email@domain.top
CN = Org
O = Org
L = Place
ST = county
C = Country
Validity Date:
start date: 08:51:38 GMT Apr 9 2002
end date: 08:51:38 GMT Apr 8 2012
Certificate
Status: Available
Certificate Serial Number: 3F
Key Usage: General Purpose
Subject Name
Name: my-test.domain.top
Validity Date:
start date: 15:56:14 GMT Jun 12 2002
end date: 15:56:14 GMT Jun 13 2007
Cisco IOS: IPSec configuration example
The following is an ESP-HMAC-SHA ESP-NULL IPSec tunnel configuration example:
hostname Cisco
!
! The time zone must be accurate, as the certificates are time sensitive
clock timezone GMT 0
!
! The following lines describe the CA server name and IP address
ip host myca.domain.top 191.168.1.1
ip domain-name domain.top
!
! CA identity command specifies the local name of the CA server
crypto ca identity my-test
enrollment url http://myca.domain.top/cgi-bin/openscep
crl optional
!
! The following lines are the certificates available in the router
crypto ca certificate chain my-test
certificate 36
30820338 308202A1 A0030201 02020136 300D0609 2A864886 F70D0101 04050030
****
B49B0FEF 07921B58 B9BD54B2 0713AE83 B6BA3CB4 B8D30EA8 95005EEA
quit
certificate ca 01
30820379 308202E2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
****
9A81DB7F 902EE833 800B9487 9634907E 9333BE95 88900068 7889AB95 51
quit
!
! The isakmp (ike) policy parameters are used when the router tries to establish the IKE tunnel
crypto isakmp policy 100
group 2
!
crypto isakmp policy 200
encr 3des
group 2
!
! “transform-set” command defines which kind of IPSec tunnelit is possible to establish
crypto ipsec transform-set MoreSecure esp-sha-hmac esp-null
!
! A crypto-map links a set of IPSec parameters with the remote IPSec gateway
crypto map IOS_IOS 10 ipsec-isakmp
description To Cisco-Test internal router
set peer 10.0.0.1
set transform-set MoreSecure
match address 151
!
! Finally, a crypto-map that will be used to establish IPSec tunnels is applied to the physical interface
interface FastEthernet4/0
ip address 10.0.0.2 255.0.0.0
crypto map IOS_IOS
!
! The mirror ACL will trigger the IPSec tunnel establishment
access-list 151 permit ip host 192.168.1.2 host 192.168.2.1 log
end
14 May 2003
19. IPSec Feasibility Study
Cisco PIX: configuration example
The following is a ESP-HMAC-SHA ESP-NULL IPSec tunnel configuration example for a Cisco
PIX:
PIX Version 6.2(1)
hostname pix
domain-name domain.top
!
****
!
! The following ACL will be used to trigger the IPSec tunnel establishment
access-list 101 permit ip host 192.168.3.1 host 192.168.1.2
! IPSec protocol must be enabled in the device
sysopt connection permit-ipsec
no sysopt route dnat
! “transform-set” command defines which kind of IPSec tunnel it will be possible to establish
crypto ipsec transform-set MoreSecure2 esp-null esp-sha-hmac
! A crypto map defines the IPSec parameters, which will be negotiated during the IPSec tunnel establishment
crypto map ECMWF_MSS 50 ipsec-isakmp
crypto map ECMWF_MSS 50 match address 101
crypto map ECMWF_MSS 50 set peer 192.168.4.1
crypto map ECMWF_MSS 50 set transform-set MoreSecure
crypto map ECMWF_MSS interface outside
! The isakmp (ike) policy parameters are used when the device tries to establish the IKE tunnel
isakmp enable outside
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
ca identity myca.domain.top 192.168.1.19:/cgi-bin/openscep
ca configure myca.domain.top ca 1 1 crloptional
A.2 FreeS/WAN configuration example
FreeS/WAN (ipsec.conf) configuration file for an ESP-HMAC-SHA ESP-3DES configuration
example:
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# More elaborate and more varied sample configurations can be found
# in FreeS/WAN's doc/examples file, and in the HTML documentation.
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=all
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
# defaults for subsequent connection descriptions
conn %default
# How persistent to be in (re)keying negotiations (0 means very).
keyingtries=2
# RSA authentication with keys from DNS.
# authby=secret
authby=rsasig
#
# use x509 certificates
#
leftrsasigkey=%cert
rightrsasigkey=%cert
#
#freeswan security gateway
left=192.168.1.20
leftsubnet=192.168.1.20/32
leftid=@host.domain.top
May 2003 15
20. IPSec Feasibility Study
#
keyexchange=ike
# the following is the IPSec configuration towards the “cisco” router
conn rw1
right=192.168.5.2
rightid=@host.otherdomain.top
rightsubnet=10.0.0.0/8
ikelifetime=3600
keylife=3600
pfs=no
auto=start
esp=3des-sha-96
16 May 2003
21. IPSec Feasibility Study
Annex B - References
A cryptographic Evaluation of IPSec - Niels Ferguson and Bruce Schneier - Counterpass
Internet Security, Inc.
Applied Cryptography - Bruce Schneier - Wiley
Cisco Secure VPN - Andre G. Mason - Cisco Press
FreeS/WAN: http://www.freeswan.org
IPSec Protocol: http://www.ietf.org/html.charters/ipsec-charter.html
IPSec RFCs - http://www.ietf.org/rfc.html
IPSec Securing VPNs - Carlton R. Davis - RSA Press
VPN Consortium: http://www.vpnc.org
May 2003 17
22. IPSec Feasibility Study
18 May 2003
Annex C - List of acronyms
3DES Triple Data Encryption Standard
AES Advanced Encryption Standard
AH Authentification Header
CA Certificate Authority
CRL Certificate Revocation List
DER Distinguished Encoding Rules
DES Data Encryption Standard
DH Diffie-Hellman Key Agreement
DWD Deutscher Wetterdienst
ECMWF European Centre for Medium-Range Weather Forecasts
ESP Encapsulating Security Payload
HMAC Hashed Message Authentication Code
HNMS Hellenic National Meteorological Service
IKE Internet Key Exchange
IPSec IP Security Protocol
KNMI Koninklijk Nederlands Meteorologisch Instituut
MD5 Message Digest 5
NAT Network Address Translation
PEM Privacy Enhanced Mail
PKI Public Key Infrastructure
QoS Quality Of Service
RFC Request For Comments
RMDCN Regional Meteorological Data Communication Network
RSA Rivest, Shamir, Adleman
SHA Secure Hash Algorithm